// Trust & Security Report

    Outreach Corporation logo

    Outreach Corporation

    Outreach is an agentic AI revenue orchestration platform for sales engagement, deal management, conversation intelligence, forecasting, and account management; core sub-products include Outreach Voice (calling/recording), Outreach Omni, Agent Studio, Meeting Prep Agent, and Outreach MCP (integration layer for connecting the platform to other GTM tools/agents).

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II, ISO 27001, ISO 27701, EU-U.S. Privacy Shield, and TRUSTe certifications

    Verify on outreach.ai
    ISO 27001
    HELD

    Outreach has determined that our current security and data privacy controls, and certifications including ISO 27001 and ISO 27701, allow Outreach to adhere to the GDPR's requirements. Outreach maintains ISO 27001 certification (since 2015).

    Verify on outreach.ai
    ISO 27701 (Privacy Information Management)
    HELD

    GDPR compliance requirements are built into the control framework Outreach is audited against as a part of our ISO 27701 certification.

    Verify on outreach.ai
    ISO/IEC 42001 (AI Management System)
    HELD

    Outreach became the first revenue technology company to achieve ISO/IEC 42001:2023 certification... ISO 42001 joins SOC 2 Type II, HIPAA, ISO/IEC 27001, and ISO/IEC 27701 in Outreach's compliance portfolio. Date achieved: July 15, 2025.

    Verify on outreach.ai
    HIPAA
    HELD

    Outreach maintains a HIPAA attestation and offers BAAs to customers who require them and meet specific requirements. Customers who have not executed a BAA are not permitted to store, process, or transmit protected health information (PHI) within the Outreach platform.

    Verify on support.outreach.io
    CSA STAR (Cloud Security Alliance)
    HELD

    Trust page lists a 'Cloud Security Alliance (CSA)' heading followed by 'Security, Trust, Assurance, and Risk (STAR)' among Outreach's certifications. Confirmed present on the vendor Trust page, though gated audit documentation was not independently retrieved.

    Verify on outreach.ai
    EU-U.S. Data Privacy Framework / Privacy Shield
    HELD

    SOC 2 Type II, ISO 27001, ISO 27701, EU-U.S. Privacy Shield, and TRUSTe certifications; Data transfers from EU/UK/Switzerland use standard contractual clauses and EU-U.S. Data Privacy Framework compliance.

    Verify on outreach.ai
    > Show 3 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS on Outreach's trust, security, or GDPR pages; not applicable as Outreach does not appear to process cardholder payment data as a core function.

    source: outreach.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on any Outreach-owned page.

    source: outreach.ai
    ISO 27017 / ISO 27018 (Cloud security / PII in cloud)
    NOT CONFIRMED

    No public evidence of ISO 27017 or ISO 27018 specifically; Outreach's listed cloud-related certifications are ISO 27001 and ISO 27701 only.

    source: outreach.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    US-hosted (AWS) by default; an EU data center is available for customers requiring EU data tenancy ('Outreach's EU data center is available cross-platform for customers who require EU data tenancy' - outreach.ai/gdpr). EU/UK/Swiss transfers use SCCs and EU-U.S. Data Privacy Framework.

    Outreach's ML models are trained on aggregated behavioral/usage signals ('3 billion+ signals used to train Outreach machine learning models', '33+ million action-outcome pairings captured weekly' per outreach.ai/platform/sales-ai), governed by 'customers' contractual commitments' rather than a documented self-serve opt-out. One narrow carve-out is explicit: 'Google Workspace Data is not used to develop, improve, or train AI and/or ML models' (privacy-statement). No public page states a blanket opt-out for all AI training on customer content; customers should confirm training scope/opt-out in their MSA and the AI Data Use Whitepaper (available only via Account Management, not public).

    // Security controls

    Encryption in transit

    Data is encrypted in transit using industry-leading encryption standards.

    outreach.ai

    Encryption at rest

    Data is encrypted at rest using industry-leading encryption standards.

    outreach.ai

    Cloud infrastructure

    Production infrastructure hosted on Amazon Web Services (AWS) as primary IaaS provider.

    outreach.ai

    Penetration testing

    Outreach contracts with industry-leading penetration testing providers to examine production architecture at least once a year.

    outreach.ai

    Bug bounty

    Outreach employs a private bug bounty program with security researchers testing the platform continuously.

    outreach.ai

    Access controls

    Granular role-based access controls; admins can define who can view, edit, or share content and grant/deny record visibility.

    outreach.ai

    AI agent governance

    Configurable agent controls define what agents can and can't do, with full audit trails for every action taken (per homepage; not independently detailed on the governance page beyond data/access controls).

    outreach.ai

    Data residency controls

    Customers can control retention of voice recordings, meeting recordings, and emails; EU citizen data can be hosted in the EU data center.

    outreach.ai

    SSO

    Enterprise-grade encryption, SSO, and role-based access controls built to secure revenue data (per homepage marketing copy; not independently detailed with a protocol list on a dedicated security page).

    outreach.ai

    Trust center access

    Full certification documents, whitepapers, diagrams, and questionnaire responses are gated behind account executive / account management contact, not publicly downloadable.

    outreach.ai

    // Products & data scope

    Outreach Core Platform (Sales Engagement / Deal Management)Sales engagement & revenue orchestration

    data: CRM records, email, calendar, deal/pipeline data

    Primary enterprise product; SOC 2 Type II, ISO 27001, ISO 27701 apply.

    Outreach VoiceCalling & call recording

    data: Call recordings, voice transcripts, consent-to-record data

    Consent-to-record is customizable per local regulation; retention configurable by admins.

    Outreach AI Agents / Agent Studio / Sales AIAgentic AI for sales workflows

    data: Aggregated behavioral signals, action-outcome data used for ML training

    Newly ISO/IEC 42001-certified (AI management system, July 2025); training governed by contract terms, no public self-serve opt-out documented.

    Outreach MCPIntegration / interoperability layer

    data: Cross-tool GTM data flow for agent actions

    New capability enabling agents to act across connected tools; no distinct compliance documentation found separate from core platform.

    Healthcare / regulated-industry use (via BAA)Sales tool used by healthcare sales teams

    data: Incidental/unintended PHI only; not designed to store PHI

    HIPAA attestation + BAA available on request; customers without an executed BAA are NOT permitted to store, process, or transmit PHI in the platform. Outreach is explicitly a sales workflow tool, not a healthcare data system.

    // What to watch

    • Full trust-center documentation (audit reports, questionnaires) is gated behind 'contact your Account Executive' - not independently verifiable by AIFOXX beyond the public marketing-page claims.
    • HIPAA is an attestation + optional BAA, not a formal government certification; product is explicitly NOT designed to store PHI and default (non-BAA) customers are prohibited from putting PHI into the platform. Do not list this as unconditional 'HIPAA compliant' - it is conditional and use-case-limited.
    • No public, customer-facing opt-out for AI/ML training on general product usage data was found; only Google Workspace data has an explicit no-train carve-out. Training is described as governed by 'contractual commitments' rather than a documented default-off or self-serve toggle - potential over-claim risk if AIFOXX states 'does not train on customer data' without qualification.
    • CSA STAR listing was sourced from a single vendor page (platform/trust) and not independently cross-confirmed on a second Outreach-owned page or the CSA STAR public registry; treat as vendor-claimed pending registry cross-check.

    // At a glance

    Pricing model

    Enterprise B2B contract/quote-based (per-seat, tiered by platform capability); no self-serve public pricing found on captured/fetched pages.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Outreach Corporation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    outreach.ai

    > Browse all vendor trust reports